Bug details:

002:

Problem:
The problem is a hack in mini_fo_mmap() in file.c, where vma->vm_file is changed to point to the lower file. First deny_write_access() is called on the mini_fo file, which (correctly) decrements its file->f_dentry->d_inode->i_writecount. But after the switch the lower i_writecount is still zero, what leads to get_write_access() succeeding and the binary beeing truncated.

Solution:
No easy one.
Ugly: hack to synchronize the i_writecounts of mini_fo and lower inodes.
Properly: implement mini_fo aops to do fan-out.